Before launching into the attacks and countermeasures, we'll provide an overview of the basic Cisco AVVID components.
Cisco's VoIP PBX, otherwise known as the Cisco Unified CallManager, was originally released as Multimedia Manager 1.0 in 1994 as a videoconferencing signaling controller. In 1997, it was renamed Selsius-CallManager and had evolved into a VoIP call router. Cisco then acquired Selsius in 1998, at which time the product was built on Windows NT 3.51 and was subsequently renamed Cisco CallManager. Even though Cisco CallManager is a software application, it is installed and sold on customized hardware platforms called Cisco Media Convergence Servers (MCS) (http://www.cisco.com/en/US/products/hw/voiceapp/ps378/index.html or http://tinyurl.com/djao3).
In March 2006, Cisco added the "Unified" moniker to all of its VoIP and video products, and the newly dubbed Cisco Unified CallManager was released under versions 4.2 and 5.0. The 5. x branch is a major departure from the traditional Windows-based 3. x and 4. x installations in that the CallManager software actually runs on a Linux appliance instead of an MCS. While users of the 3. x and 4. x CallManager had fairly open access to the underlying Windows Server 2003 or Microsoft Windows 2000 Server, the 5. x Linux appliances are locked down with only a management interface for most administrative functions. Also available from Cisco is the Cisco Unified CallManager Express (http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html or http://tinyurl.com/o6kw7), which is a slimmed-down version of CallManager that is embedded on certain supported routers running IOS. Each CallManager Unified Express installation can support up to 240 lines in comparison to the standard Unified CallManager deployment that can support up to 30,000 lines per server.
At the time of this book's publication, the majority of large enterprise deployments were still running versions 4. x, so we decided to concentrate on those instead of the fairly new 5. x deployments. With the exception of the OS-specific attacks, most of the other exploits and countermeasures are also applicable to the 5. x branch of CallManager as well.
Cisco sells a plethora of VoIP phones. As of the time of this book's publication, these are the most popular:
Cisco Unified IP Phone 7985G A personal desktop videophone that enables instant, face-to-face communications, the Cisco Unified IP Phone 7985G incorporates a camera, LCD screen, speaker, keypad, and handset into a single, easy-to-use unit.
Cisco Unified IP Phones 7971G-GE, 7961G-GE, and 7941G-GE A suite of IP phones that delivers Gigabit Ethernet Voice over IP.
Cisco Unified IP Phones 7970G, 7961G, 7960G, 7941G, and 7940G These phones feature high-resolution display capabilities, XML applications, multiple lines, and an intuitive interface for business professionals.
Cisco Unified IP Phones 7912G, 7911G, and 7905G These phones feature a single-line, pixel display for XML capabilities.
Cisco Unified Wireless IP Phone 7920 This phone delivers up to six extensions, a menu-driven graphical interface, and faster roaming.
Cisco Unified IP Phone 7902G This single-line, entry-level IP phone does not have a display and is designed to meet basic calling requirements for environments such as lobbies , laboratories, manufacturing floors, and hallways.
A complete list of phones is available on Cisco's website at http://www.cisco.com/en/US/products/hw/phones/ps379/index.html.
Cisco provides a softphone client called Cisco IP Communicator that runs on a Windows PC and integrates with your existing CallManager deployment (http://www.cisco.com/en/US/products/sw/voicesw/ps5475/index.html or http://tinyurl.com/g24lc). The client has most of the basic features of the hard phones and is targeted at remote workers or road warriors.
Skinny Client Control Protocol (SCCP but nicknamed "Skinny") is Cisco's proprietary lightweight H.323-like signaling protocol used between Cisco Unified CallManager and Cisco Unified phones. Because the Skinny protocol is proprietary to Cisco, there are not many public references on its internals or format. There are, however, some open source implementations of SCCP including an Asterisk SCCP module, as well as a Wireshark SCCP dissector.
Cisco IP phones are, in general, fairly dependent on the CallManager to perform most of their functions. For instance, if a phone is taken off the cradle, it will communicate this fact to the CallManager, which will then instruct the phone to play the appropriate dialtone. By itself and disconnected from the CallManager, the phone can't play the tone.
A Skinny client (in other words, the IP phone) uses TCP/IP over port 2000 to communicate with the CallManager and all messages are nonencrypted. The following is a list of valid Skinny messages:
Code Station Message ID Message 0x0000 Keep Alive Message 0x0001 Station Register Message 0x0002 Station IP Port Message 0x0003 Station Key Pad Button Message 0x0004 Station Enbloc Call Message 0x0005 Station Stimulus Message 0x0006 Station Off Hook Message 0x0007 Station On Hook Message 0x0008 Station Hook Flash Message 0x0009 Station Forward Status Request Message 0x11 Station Media Port List Message 0x000A Station Speed Dial Status Request Message 0x000B Station Line Status Request Message 0x000C Station Configuration Status Request Message 0x000D Station Time Date Request Message 0x000E Station Button Template Request Message 0x000F Station Version Request Message 0x0010 Station Capabilities Response Message 0x0012 Station Server Request Message 0x0020 Station Alarm Message 0x0021 Station Multicast Media Reception Ack Message 0x0024 Station Off Hook With Calling Party Number Message 0x22 Station Open Receive Channel Ack Message 0x23 Station Connection Statistics Response Message 0x25 Station Soft Key Template Request Message 0x26 Station Soft Key Set Request Message 0x27 Station Soft Key Event Message 0x28 Station Unregister Message 0x0081 Station Keep Alive Message 0x0082 Station Start Tone Message 0x0083 Station Stop Tone Message 0x0085 Station Set Ringer Message 0x0086 Station Set Lamp Message 0x0087 Station Set Hook Flash Detect Message 0x0088 Station Set Speaker Mode Message 0x0089 Station Set Microphone Mode Message 0x008A Station Start Media Transmission 0x008B Station Stop Media Transmission 0x008F Station Call Information Message 0x009D Station Register Reject Message 0x009F Station Reset Message 0x0090 Station Forward Status Message 0x0091 Station Speed Dial Status Message 0x0092 Station Line Status Message 0x0093 Station Configuration Status Message 0x0094 Station Define Time & Date Message 0x0095 Station Start Session Transmission Message 0x0096 Station Stop Session Transmission Message 0x0097 Station Button Template Message 0x0098 Station Version Message 0x0099 Station Display Text Message 0x009A Station Clear Display Message 0x009B Station Capabilities Request Message 0x009C Station Enunciator Command Message 0x009E Station Server Respond Message 0x0101 Station Start Multicast Media Reception Message 0x0102 Station Start Multicast Media Transmission Message 0x0103 Station Stop Multicast Media Reception Message 0x0104 Station Stop Multicast Media Transmission Message 0x105 Station Open Receive Channel Message 0x0106 Station Close Receive Channel Message 0x107 Station Connection Statistics Request Message 0x0108 Station Soft Key Template Respond Message 0x109 Station Soft Key Set Respond Message 0x0110 Station Select Soft Keys Message 0x0111 Station Call State Message 0x0112 Station Display Prompt Message 0x0113 Station Clear Prompt Message 0x0114 Station Display Notify Message 0x0115 Station Clear Notify Message 0x0116 Station Activate Call Plane Message 0x0117 Station Deactivate Call Plane Message 0x118 Station Unregister Ack Message
The following diagrams illustrate the call setup of a phone call between two SCCP-enabled phones. Figure 7-1 shows an initial call setup as a user dials the extension 3068.
Figure 7-2 illustrates the next stage of the phone call in which the RTP media setup occurs. The StartMediaTransmission or OpenLogicalChannel message is the one that actually signifies when the media stream is established; only after both phones have received this message can the conversation begin.
Figure 7-3 illustrates the call teardown scenario once the receiving party hangs up the phone.
Companion Web Site Wireshark (http://www.wireshark.org) is a great tool for deciphering Skinny traffic that has been sniffed from the network. Because Skinny messages are unencrypted, it's relatively easy to make sense of the communication going on between a phone and the CallManager. As an example, we've made available a packet trace from our own Cisco VoIP lab of the standard communication that occurs between a Skinny phone and the CallManager when a call is placed. The trace is available at http://www.hackingvoip.com/traces/skinny.pcap. When you open the trace in Wireshark, it will look like Figure 7-4. The IP address of our Cisco 7912 IP phone is 172.16.3.247 and the IP address of our CallManager server is 172.16.3.18.
Lifting the Phone from the Cradle The first thing that happens in the trace once we lift the phone off the cradle is a Skinny OffHookMessage is sent in packet 7 to the CallManager. This, in turn , triggers a flurry of Skinny messages (packets 817) from the CallManger to the phone, ending on the Skinny StartToneMessage message, which tells the phone to play a standard dial tone.
Dialing Numbers In the example recorded in the trace, we dialed extension 2012. Notice that once we press the 2 button, a KeypadButtonMessage is sent from the phone to the CallManager in packet 18. If you click the packet and expand the details in Wireshark, you can clearly see the number 2 in the KeypadButton field (0x000000002). The CallManager sends two Skinny messages in response: the first one is a StopToneMessage in packet 19, which stops the dial-tone sound being played on the phone; and the second Skinny message, shown in packet 20, tells the phone the appropriate tone to play for the number that we pressed. The remaining numbers that we dialed0, 1, and 2are illustrated in packets 23, 25, and 27 respectively.
Call in Progress Starting at packets 3133, the CallManager updates the LCD display and dial tone of the phone to indicate that the call is being initiated and the receiving phone (x2012) is ringing. Through Skinny messages in packets 3442, the CallManager communicates with the phone at extension 2012 (IP address 172.16.3.248) in order to set it to ring. For more information on how SCCP works, check out the book Troubleshooting Cisco IP Telephony by Paul Giralt, Addis Hallmark, and Anne Smith (Cisco Press, 2002).
Cisco Unity is Cisco's voicemail solution that integrates with preexisting data stores such as Microsoft Exchange and Lotus Domino, for instance. Most Unity installations are sold by resellers on top of Media Convergence Servers or compatible IBM servers as is the CallManager. The Cisco Unity 4. x software runs on Windows Server 2003 or Microsoft Windows 2000 Server.
For the purposes of this chapter in examining the typical Cisco enterprise VoIP deployment, we're assuming that most switches and routers are Cisco branded as well. Therefore, the countermeasures and exploits will be specific to Cisco networking devices.
You can find more information on Cisco's line of switches and routers at the following links:
As you will see for many Cisco-specific recommendations in the following sections, it is necessary to have an almost homogenous Cisco network environment in order to implement many of them. This has its plusses and minuses, of course, depending on whether or not you've already spent the money to upgrade your networking environment to all Cisco.